You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx
+22-7Lines changed: 22 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -56,29 +56,29 @@ The [SameSite](https://web.dev/samesite-cookies-explained/) Attribute selector r
56
56
The selector options are:
57
57
58
58
***None** - Cookies will be sent in all contexts, including cross-origin requests.
59
-
***Lax** - Cookies are allowed to be sent with top-level navigations and will be sent along with GET requests initiated by thirdparty websites.
59
+
***Lax** - Cookies are allowed to be sent with top-level navigations and will be sent along with `GET` requests initiated by third-party websites.
60
60
***Strict** - Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.
61
61
62
62
Refer to the [Mozilla documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value) for more information.
63
63
64
-
#### When not to use SameSite
64
+
#### When not to use `SameSite`
65
65
66
-
Do not enable SameSite restrictions if you have additional sites or applications that rely on a specific application's authorization cookie.
66
+
Do not enable `SameSite` restrictions if you have additional sites or applications that rely on a specific application's authorization cookie.
67
67
68
68
### HttpOnly
69
69
70
-
The HttpOnly flag is a cookie attribute that prevents the cookie from being accessed by any client-side scripts, reducing the likelihood of Cross-Site Scripting (XSS) attacks. This flag is enabled by default.
70
+
The `HttpOnly` flag is a cookie attribute that prevents the cookie from being accessed by any client-side scripts, reducing the likelihood of Cross-Site Scripting (XSS) attacks. This flag is enabled by default.
71
71
72
-
#### When not to use HttpOnly
72
+
#### When not to use `HttpOnly`
73
73
74
-
Do not enable HttpOnly if:
74
+
Do not enable `HttpOnly` if:
75
75
76
76
* You are using the Access application for non-browser based tools (such as SSH or RDP).
77
77
* You have software that relies on being able to access a user's cookie generated by Access.
78
78
79
79
### Binding Cookie
80
80
81
-
The Binding Cookie is an additional cookie created when a user successfully authenticates, shared with Cloudflare to verify identity, and then stripped before it reaches the origin server. The Binding Cookie associates the browser with the Access token; the association protects against compromised authorization tokens because the origin webapp would never see this binding cookie. This protects against session hijack style attacks.
81
+
The Binding Cookie (`CF_Binding`) is an additional cookie created when a user successfully authenticates, shared with Cloudflare to verify identity, and then stripped before it reaches the origin server. The Binding Cookie associates the browser with the Access token; the association protects against compromised authorization tokens because the origin webapp would never see this binding cookie. This protects against session hijack style attacks.
82
82
83
83
#### When not to use Binding Cookie
84
84
@@ -92,6 +92,21 @@ Do not enable Binding Cookie if:
92
92
93
93
The Cookie Path Attribute adds the application's path URL to the `CF_Authorization` cookie. When enabled, a user who logs in to `example.com/path1` must re-authenticate to access `example.com/path2`. When disabled, the `CF_Authorization` cookie is only scoped to the domain and subdomain.
94
94
95
+
## Access Cookies
96
+
97
+
The following Access cookies are essential for core functionality and cannot be disabled. Access cookies are never used for metrics or tracking.
|`CF_Authorization` (cloudflareaccess.com) | JWT stored on the team domain (`<>`) to keep users logged into Access across apps | Set by customer; supports org-wide login | Yes | None |
102
+
|`CF_Authorization` (customer domain) | JWT stored on the app domain that grants access to that specific app | Set by customer | Customer choice (default: No) | Customer choice (default: None) |
103
+
|`CF_Binding`| Optional cookie that protects against session hijacking by binding the token to a browser instance; never sent to origin | Matches app session | Yes | None |
104
+
|`CF_Session`| CSRF token used on the team domain (`cloudflareaccess.com`) | 4 hours | Yes | None |
105
+
|`CF_AppSession`| CSRF token used per app domain, scoped to individual apps | 24 hours | Yes | None |
106
+
|`CF_Device`| Device identification cookie used to maintain posture checks and tie sessions to devices, typically with WARP | Varies | Yes | Lax |
107
+
|`CF_Meta_<aud>`| Metadata cookie that stores app-specific context or audience info; used internally for session management and debugging | Unknown | Yes | None |
108
+
109
+
95
110
## Allow third-party cookies in the browser
96
111
97
112
By default, some browsers block all third-party cookies in private browsing mode, including the `CF_Authorization` cookie. For XHR requests to work in private windows, you will need to exempt your application and <GlossaryTooltipterm="team domain">team domain</GlossaryTooltip> from the browser's tracking protection system.
0 commit comments